HTTP-AUTH Working Group Meeting
IETF 90 (Toronto)
Thursday, July 24, 2014. 10:00 - 11:30
======================================

Chairs:
Yoav Nir (ynir@checkpoint.com)
Matt Lepinski (mlepinski.ietf@gmail.com)

Chair Slides available at: 
http://www.ietf.org/proceedings/90/slides/slides-90-httpauth-0.pdf

-- The Digest and Basic update documents are nearing completion. The next versions of these documents are planned for Working Group Last Call before IETF 91.

-- HOBA will be the next working group last call after the Basic and Digest updates. Mutuatl Authentication will go through working group last call following HOBA.

-- Authors of all working group documents should verify that their drafts are consistent with the new HTTP Authentication Framework RFC 7235

-- There will be more list discussion of whether the working group is interested in changes to digest/basic beyond the limited changes specified in the charter. 
   The chairs will then follow-up with the Area Directors about the scope of the group's efforts.

-- The Mutual Authentication algorithms draft is now a working group document. 
   The authors plan to follow the lead of the TLS working group (and the CFRG) with regards to recommendations for elliptic curves.

=============
Raw Notes
=============

Julian: Please double-check everyone to make sure you are consistent with the new authentication framework RFC 7235


Discussion of Basic/Digest

-- Sense of the room leaning towards don't put effort into additional improvements for digest/basic
   Charter scope for our changes is quite limited. No amount of effort will turn digest/basic into excellent modern authentication mechanisms
   Modest number of speakers
   No one strongly in favor of trying to strengthen digest
   This will be discussed further on the mailing list, and chairs will follow-up with the Area Directors.

Digest Presentation

-- No one Backwards compatibility with 2069 (only 2617 compatible)

-- Removed Algorithm preference from the registry. (Put in document that defines)

-- No significant discussion : No open issues


Basic Presentation

-- Re-arranged a lot of text to make a full replace of 2617
   Please get more eyes on the draft

-- Security Considerations need to be revisisted

-- Need some testing on one issue (see slides)
   
-- Question: Do we need an extensibility model
   Current draft says to add a new parameter revise the spec
     ... we could have an IANA registry, but that could be overkill

-- Julian thinks it would be overkill to add internationalization of the realm parameter

-- Colon handling is Basic is inconsistent
   Forbidden by spec
   Some user-agents accept colons and then remove them (concatenate) when sending to the server

-- Michael Sweet requested 'username' parameter for default username

-- Julian: Draft definitely needs more eyes (more than anything else)

SCRAM

--[Note-taker did not get Tony Hansen's full comment]
   Alexy agreed with Tony Hansen, and will make the change Tony suggested.

-- Alexy will update the document with both variants and then see what people think.

-- Tony: Mandatory to implement hash funciton?
      Consider folding in a registration of SHA-256


Mutual Auth

-- Plan: Do for elliptic curves what TLS does as far as what non-NIST curves to add